Cybersecurity Insurance 101 for MSPs | Shoering Up Security, S. 2, Ep. 7

In Cybersecurity

Cybersecurity Insurance 101 for MSPs | Shoering Up Security, S. 2, Ep. 7 - read the full article about Cybersecurity 2021, Cybersecurity and Network security and pen testing from CompTIA Connect on Qualified.One

Share

Tweet

CompTIA Connect
Youtube Blogger

Unknown: Welcome back to shoring up security. Im MJ shore Senior Vice President and Executive Director of the CompTIA ice out.

Please subscribe to this CompTIA connect YouTube channel for updates on new episodes in this series, as well as all of our other great series that we run. In this video, were discussing the ins and outs of cyber insurance, why you need it, why customers need it, and how it can help you in selling your cybersecurity services. to demystify the cyber insurance landscape. We have Jacob fingers love of the Hartford joining me today CompTIA has partnered with the Hartford to provide a customized business insurance program exclusively as a CompTIA. member benefit Jacob Welcome. Good to see you again.

Thanks. Thanks for having me. Yeah, its a pleasure. So to get started, why dont you tell us a little bit about yourself and a little bit about the Hartford? Yeah, absolutely. So to start with my employer, the Hartford, were one of the largest property casualty insurers in the US, we also operate internationally. And we particularly operate in this small business space. And thats going to tie in nicely to our conversation today, because cyber risk is an issue to lots of businesses out there, but particularly small businesses should should be aware of cyber risk as an issue and what they can do to protect themselves.

For myself, Ive worked in the insurance industry for just over 20 years, started my career and in, in a small country over on the other side of the Atlantic Denmark. And, and since then, Ive had the opportunity to work in the London Lloyds market, and then for the past nine years here in the US. So its been exciting, and for quite a long part of it working with cyber insurance.

Thats great. And I think, you know, your point is well taken.

And I think, you know, for our members, certainly for CompTIA members and members of the CompTIA, I saw that that small business aspect is so important, because, as you say, its, you know, sometimes people think of this as the domain of the larger companies out there, but its just as applicable to small businesses. So, you know, I cant imagine there are many out there that dont know, but just in case, can you give us a little primer on what cyber insurance is and why businesses should be carrying it? Yeah, absolutely. And Ill caveat that first and foremost, with it isnt a one size fits all norm there lots of different types of cyber insurance products out there. And even within the Hartford, we offer a wide range of different solutions. So at the broadest scope, the the actual cyber insurance policies that just dedicated to covering that you sort of have two sections, youve got the liability side.

So thats similar to your general liability policy, you have the the first party site thats kind of similar to your property or, or, you know, home or business insurance policy that covers your property and your contents. Its just the triggers are different. Its not fire or flooding, or whatever you might see, instead of the physical world, its cyberattacks that we cover on these policies. But they look otherwise similar to business owners policy from that perspective, general liability, cyber liability, first party cyber property insurance quite similar. So those are the broader sort of policies. But then there are lots of variations where you have an endorsement to your business owners policy for data breach, maybe or for the first party cyber, and then thats isolated.

And this data breach, does that. Does that get into ransomware as well? Are those different elements from an insurance perspective? So really good question. Because what were seeing is a lot of blending of those attacks right now. So thats a good reason why you need to have both spread actors will deliver ransomware and so network, but they might steal your data first, to put more pressure on you to pay that ransom. So you have both risks in one attack.

Interesting. So in what you just described from policy being similar to you know, the standard business liability or business property coverage, are there any other elements of whats typically covered in a cyber insurance policy that that people might not know about? Yeah, obviously, ransomware is a big topic right now. So some policies cover this, you know that the extortion piece that youre presented with, theres also a fair amount of cyber fraud that takes place where people are tricked into transferring money to criminals, rather than a vendor that they thought transferring money to for example. So some policies have the the optional coverage of, of cybercrime coverage or wire transfer fraud coverage. So thats, thats one thats, thats good to have as well.

Got it. Got it. So our cross, you know, with, with what you see, from your perspective from the industry, what types of losses are you seeing in the cyber insurance space? And, and how has that changed over the last few years? Yeah, I mean, traditionally, and this is really why cyber insurance happened as a as a concept or as a product to begin with, was was data breaches, you know, back in the early 2000s. I mean, there were policies or products around prior to that, but really, when it started, sort of, you know, growing and becoming more of a standardized product was was data breach regulation in the early 2000s. And, and today in the US, we have data breach laws in all 50 states, plus a few federal ones.

So, so that was cyber insurance, in sort of birth reason, if you will, and, and that went on for a long time as the main driver of loss. And thats, that speaks to the liability portion of the of the coverage, you can be sued for having a data breach that exposes your customers data, if its personally identifiable data. And then there are certain obligations you have, as a company, if you have a data breach, which is you have to notify the individuals, you have to offer credit monitoring, to mitigate the risk of identity theft, fraud, and so on. What weve seen the last two, three years is a huge shift over to ransomware. And thats just simply because its become the most efficient way for threat actors to monetize their cybercrime efforts. So theyve theyve sort of turned away from data breaches as their preferred attack method and and cybercrime method into ransomware. But as, as companies get more aware of the risk, start backing up their data, to not have to pay a ransom and recover instead, then theyve mixed it up with data breaches as well as stealing data before encrypting data. So thats what were seeing. And then in the wire transfer fraud area, thats been consistently growing for several years. Those are not as big losses on average, but thats probably the type of loss we see the most stuff. So in 2020, for example, there were just under 20,000 incidents reported to the FBI for wire transfer, theft and, and so thats something you do have to be aware of, yeah, remember the last major breach or wasnt really a breach. But the last major incident I was involved in before I left being an MSP myself was a was a wire transfer fraud case. And I remember working very closely with the insurance company and the risk managers to understand how it happened in this particular instance, it turned out to be in a business process control issue, not a not a technology issue by any stretch. So but thats a thats a completely different topic than this. So thinking about our members, thinking about MSPs solution providers, vendors and the other technology companies that that are CompTIA members, and those that are out there carrying insurance, are you seeing more and more getting this type of coverage? Or is there still a gap out there and adoption? Theres still quite a gap. We think the penetration rate of cyber insurance fall industries in the US is somewhere south of 20%. Really, lots of companies Yeah, lots of companies are still considered out there. And but theres, theres tremendous growth going on. At the same time. We are obviously seeing lots of news stories about cyber attacks. And thats really all helping create awareness about the protection you can you can purchase besides trying to protect yourself with with cybersecurity controls, obviously. So, so I think theres lots of room to grow. Its its important to point out with the group you you mentioned, and who are your members, that comes here, its its technology companies and they typically will purchase cyber insurance, not by itself, but integrated with what we call technology errors and omissions coverage. And thats thats the type of coverage that applies if you know if you make technology mistakes as a vendor, if youre if your software fails on different different types of scenarios that dont have to do with cyber and just sort of technology failure as a concept. And then you get the equivalent coverage to a cyber insurance policy with that technology errors and omissions policy. So thats thats how we usually sell it to say technology companies and and thats the military its really the best way for them to purchase it. And there theres theres a little bit higher penetration rate but again, its its as usual with with insurance to larger companies have been the first to adopt insurance. And that goes for cyber and techie, you know, technology errors and emissions, as well. So we need more adoption rate in the small business space. And some of it comes through contractual requirements. Thats quite typical in the technology space.

So thats a good reason to, to get coverages, youre contractually required to carry it, by by your customer. So that sort of those are the trends were seeing. But last year, cyber insurance grew about 29% in the US.

Got it. So another another thought just came to mind in this regard, and something we hear from members that there seems to be a lot of concern, and Im not sure if you can comment directly on this, or just, you know, more anecdotally, but weve certainly seen some concern in the marketplace about the increase in premiums. And is that, you know, from your perspective, is that in response to the increase in claims activity, or the increase in the overall risk thats out there? Or is it more related to organizations not doing the right things that Does that have an impact on the actual cost to a consumer, its all kind of connected, not doing the right thing, leads to more losses, leads to higher premiums, maybe I cant speak for the other carriers out there. But But insurance generally, you know, works on the basis of you try and figure out what your losses are going to be in a given year, and set your pricing on that basis, as with some other areas of insurance, like property insurance, where we have to deal with hurricanes, and, and hail storms. And, you know, thankfully, not as frequently, but but earthquakes as well.

There is an element of that sort of catastrophe risk to cyber as well. And weve seen some of these events play out in the past, we havent had, you know, the big one, thats gonna really, really cause a significant amount of loss across the industry, but, and for non insured companies as well. But weve seen enough that we know what can happen. So we have to take account of that in pricing as well. And, and but I think its fair to say that there were more losses in 2020 than any other year before in cyber. Yeah. And I think 2021 is not going to be that different. So naturally, thatll thatll have some impact on the terms and conditions.

Its got to be almost like a, like, a new market. In some respects, youve got to youve got to get some historical trend analysis to know what the risk is going to be over an extended period of time. But as with so many things, technology, and cyber specifically, that thats gonna be a bit of a difficult exercise on on the folks that do that kind of work.

Yeah, I think its important to point out, you can help yourself a lot in that process, if you have the right set of controls, and there are certain things that are becoming a minimum requirement in the market, multi factor authentication is a really important one. Again, theres theres not a single solution that fixes all of your cyber risk issues. But But multi factor authentication does do a lot. Weve seen threat actors get to backups and destroy the backups before they infect the nest, the rest of the network. And there are certain ways you can prevent that from happening, or at least, you know, mitigate it to some extent, which is, you know, having a protected backup, keeping it offline. Putting certain restrictions in place as to who can access to backup environment, you can maintain it in immutable state. So there are lots of different solutions. And I think when buying insurance coverage, youre going to be viewed upon more favorably if you have those controls, and if you dont have them.

So is it important for, you know, a technology company to get into? I dont know if a deep dialogue is the right way to say it. But But is it appropriate for a proposed insured to ask the carrier? You know, what controls should we have in place? Or I mean, I imagine a lot of thats in the questionnaire, but are there are there deeper conversations that should take place around the controls and and what theyre looking for coverage and making sure that they have things in alignment upfront? It depends a little bit on the size of insured in each case, but we try and work with all of our customers to help them identify any critical vulnerabilities that they might have. We use tools that really show the same view Have a network as the hackers would be able to see. So sort of scan, I think, you know, then then you are at Target, if you can not show up in the scan, then youre not going to be a target as much. And then beyond that we use questionnaires or so called ransomware supplements, to really find information that we can find in an automated scan. So for us, its often more of a an interaction with a customer. Think of it as risk control or loss control. Thats something thats been traditionally used in the property insurance area, and were trying to implement that in the cyber insurance area as well. So so we, you know, we dont just tell a customer to go away. If we dont like what we see we try and help them improve the situation.

Oh, thats great. I think thats I think that may be the most important Portland comment of this episode right there that an organization like the Hartford is willing to work with your proposed insured or your customers and help them improve certainly for the for the small businesses out there, that that would be an incredibly valuable exercise to go through rather than just submitting an application and waiting to hear yes or no. So I think I think thats great. And I think thats a thats a great spot to wrap up. So thats it for todays episode of shoring up security. Jacob, thank you so much. You shared some really great insight into this. I know its a its a hot topic among our members. So I really appreciate you coming on with me today and sharing all the insight that you have.

Thanks for having me. Always a pleasure.

Great. Keep an eye out for more video episodes right here on the CompTIA connect YouTube channel. And if you havent seen prior episodes of this season of shoring up security or our first season, go back through the playlist and watch the episodes.

Thanks so much for watching the series. If youve got suggestions on what youd like to see in an upcoming season, feel free to comment below or reach out anytime. Thank you so much for watching. Together we can fight back against cyber threats and make our industry more resilient. Stay safe.